A-2
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixA AAA Protocols
Typical Use Cases

Session Access Requests (Device Administration [TACACS+])

Note The numbers refer to Figure A-1 on page A-1.
For session request:
1. An administrator logs into a network device.
2. The network device sends a TACACS+ access request to ACS.
3. ACS uses an identity store to validate the user's credentials.
4. ACS sends a TACACS+ response to the network device that applies the decision. The response
includes parameters, such as the privilege level that determines the level of administrator access for
the duration of the session.

Command Authorization Requests

Note The numbers refer to Figure A-1 on page A-1.
For command authorization:
1. An administrator issues a command at a network device.
2. The network device sends a TACACS+ access request to ACS.
3. ACS optionally uses an identity store to retrieve user attributes for inclusion in policy processing.
4. The TACACS+ response indicates whether the administrator is authorized to issue the command.
Network Access (RADIUS With and Without EAP)
For network access, a host connects to the network device and requests to use network resources. The
network device identifies the newly connected host, and, using the RADIUS protoc ol as a transport
mechanism, requests ACS to authenticate and authorize the user.
ACS 5.4 supports the following categories of network access flows, depending on the protocol that is
transported over the RADIUS protocol:
RADIUS-based protocols that do not include EAP:
PAP
CHAP
MSCHAPv1
MSCHAPv2
For more information on RADIUS-based protocols that do not include EAP, see RADIUS-Based
Flow Without EAP Authentication, page A-3.
EAP family of protocols transported over RADIUS, which can be further classified as:
Simple EAP protocols that do not use certificates:
EAP-MD5
LEAP